A third party with links to recruitment site Monster has left job seeker résumés and CVs exposed on an online server, exposing personal data.

The personal details include names, phone numbers, home addresses, email addresses and prior work experience.

TechCrunch, which first reported the breach, said that most exposed CVs were of people located in the US and spanned between 2014 and 2017.

The exact number of compromised files is unclear, but one folder contained “thousands of résumés”.

Monster said the database was secured in August, shortly after it was first reported.

In a statement to TechCrunch, Monster’s chief privacy officer Michael Jones said:

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“The Monster Security Team was made aware of a possible exposure and notified the recruitment company of the issue.”

Monster added that it the responsibility of its customers that purchased the data to protect candidate résumés and CVs, as well as notify them in the event of a breach.

Security risks of exposed CVs

Security experts warned that the exposed personal data could, in the wrong hands, be used for a range of nefarious purposes.

“The personally identifiable information (PII) typically found on a résumé can lead to account hijacking and highly targeted phishing attacks if it falls into the wrong hands,” said Vinay Sridhara, CTO at cybersecurity firm Balbix.

“In fact, a threat actor can have password reset codes sent to a compromised phone number or email for far more sensitive accounts – both personal and professional.”

Erich Kron, security awareness advocate for cybersecurity awareness training provider KnowBe4, highlighted the lack of transparency around how CVs are used after the recruitment process is over.

“This is a lesson in how data can spread without people being aware of it,” he said.

“In this case, when we put our job history, resume and/or CV on these types of sites, we should assume that organisations are going to collect them as they review and use them for job considerations.

“Where things get murky is what happens with the information after it is used, and ensuring it was used in a proper manner in the first place. Currently, in the US, people are often completely unaware when data is processed by a third party. This is something that GDPR is designed to address.”

Read more: Exposed Facebook phone numbers risk SIM jacking and robocalls